Contributions to identity-based cryptography

In traditional public key cryptography, public keys of users are essentially random strings generated from random secret keys. Hence, public key certificates are required to attest to the relations between users\u27 identities and their public keys. In the identity-based cryptography, public keys can be identities such as names, email addresses or IP addresses. This avoids the use of certificates which is a burden in traditional public key cryptography. Attribute-based cryptography originated from the identity-based cryptography goes one step further to support fine-grain access control. In the attribute-based cryptography, a user is defined by a set of attributes rather than atomically by a single string. In this thesis, we investigate several cryptographic primitives in the identity-based setting and its successor, attribute-based setting. There are two classes of digital signature schemes: signature schemes that require the original message as input to the verification algorithm and signature schemes with message recovery which do not require the original message as input to the verification algorithm. One of effective methods for saving bandwidth in transmission is to eliminate the requirement of transmitting the original message for the signature verification. In a signature with message recovery, all or part of the original message is embedded within the signature and can be recovered. Therefore, it minimizes the total length of the original message and the appended signature. In this thesis, we consider digital signatures with message recovery in both the identity- based multisignature setting and the attribute-based setting. In the identity-based multisignature with message recovery, multiple signers generate a single constant size multisignature on the same message regardless of the number of signers. The size of the multisignature is the same as that of a signature generated by one signer. Furthermore, it does not require the transmission of the original message in order to verify the multisignature. In the attribute-based signature with message recovery, the signature size is the same as that of a traditional attribute-based signature, but it does not require the transmission of the original message for the signature verification. When messages are transmitted in such a way that both privacy and authenticity are needed, authenticated encryption or signcryption could be used. Usually, there may be some additional information, such as a header, transmitted along with the ciphertext. The header might be public, but have to be authenticated. Authenticated encryption with associated data can be achieved only in the symmetric key setting. In this thesis, we propose a generic construction of identity-based authenticated encryption with authenticated header. Using this cryptographic primitive, everyone is able to check the validity of the authenticated ciphertext and access to the authenticated header; only the designated receiver can recover the payload. Our scheme has potential applicability to big data. We consider two types of computation on authenticated data. One requires secret information of the original signer, such as the sanitizable signature and the incremental signature. The other one does not require any secret information of the original signer, which means that anyone is able to conduct the computation, but only for a class of specified predicates. In this thesis, we propose two novel schemes, one for each type. The first one is the identity-based quotable ring signature scheme. We extend the ring signature scheme to be quotable. Anyone can derive new ring signatures on substrings of an original message from an original ring signature on the original message. No matter whether a ring signature is originally generated or is quoted from another ring signature, it will convince the verifier that it is generated by one of the ring members. The verifier could not distinguish whether a ring signature is originally generated or is quoted from another ring signature. The second one is the attribute-based proxy re-signature scheme. Only the designated proxy who possesses some secret information of the delegator can re-sign original signatures. The semi-trusted proxy acts as a translator to convert a signature satisfying one predicate into a signature satisfying another different predicate on the same message. The proxy cannot learn any signing key and cannot sign arbitrary messages on behalf of either the delegator or the delegatee. It solves the open problem of finding a multi- use unidirectional proxy re-signature scheme where the size of the signatures and the verification cost do not grow linearly with the number of translations